Cryptography on NonTrusted Machines

1
Cryptography on Non-Trusted Machines

• StefanDziembowski

2
Outline

• Introduction
• State-of-the-art
• Research plan

3
Idea
Design cryptographic protocols that are secure
even on the machines that are not fully
trusted.
4
How to construct secure digital systems?
MACHINE (PC, smartcard, etc.)
very secure Security based on well-defined
mathematical problems.
implementation
CRYPTO
not secure!
5
The problem
MACHINE (PC, smartcard, etc.)
easy to attack
implementation
hard to attack
CRYPTO
6
Machines cannot be trusted!
1. Informationleakage
MACHINE (PC, smartcard, etc.)
2. Maliciousmodifications
7
Relevant scenarios
MACHINES
. . .
PCs
specialized hardware

• malicious software
• viruses,
• trojan horses.

• side-channel attacks
• power consumption,
• electromagnetic leaks,
• timing information.

8
The standard view
anti-virus software, intrusion detection, tamper
resistance,
MACHINE (PC, smartcard, etc.)
practitioners
Implementation is not our business!
definitions, theorems, security reductions,..
CRYPTO
theoreticians
9
Our model
(standard) black-box access
cryptographicscheme
additional accessto the internal data
10

• State-of-the-art

11
Bounded-Retrieval Model
Idea protect against the theft of secret data by
making the secrets artificially large
MACHINE (PC)
any bounded-outputfunction
large cryptographic secret (e.g. a key)
S
virus sends S to the adversary
?

S
h(S)
virus
12
Example of a protocol in the Bounded-Retrieval
Model

• Entity authentication Dziembowski, TCC 2006

BANK
USERS MACHINE
key S (S1,...,Sn)
key S (S1,...,Sn)
verifies

• Other results
• Session-key agreement Dziembowski, TCC 2006,
• Secure storage Dziembowski, CRYPTO 2006,
• Secret sharing Dziembowski and Pietrzak, FOCS
  2007.

13
Private circuits the model
MACHINE
and
or
neg
or
and
and
neg
and
or
neg
and
or
neg
the adversary can learn the values on up to t
wires
or
and
and
14
Private circuits the construction

• Ishai, Sahai and Wagner, CRYPTO 2003

circuit C
circuit C
the adversary gains no advantage even if he
readsup to t wires
15
Distributed cryptography
can corrupt at most one machine
16
External trusted hardware
can corrupt
cannot corrupt
17

• Research Plan

18
The general goal

• Contribute to creating a new discipline
• Cryptography on Non-Trusted Machines
• with
• solid foundations, and
• practical impact.

19
Objectives

• Extensions of the models
• New applications and methods
• Improvement of the previous results
• Theoretical foundations

20
Objective 1 Extend (and unify) the existing
models
example

• Private circuits
• strong results
• weaker model

anything in between?

• Bounded-Retrieval
• Model
• weaker results
• strong model

21
Objective 2 New methods
Example 1
Key evolution
time ?
information
fixed information/second rate
22
Objective 2 New methods
human-based methods
example
can corrupt
cannot corrupt
23
Human-based methods an example
non-trusted PC
user (no trusted hardware)
bank
keyboard, screen
internet
virus
Known method of user authentication one-time
passwords drawback authenticates the user not
the transaction! Can we also authenticate the
transaction?
24
Objective 3 Improvement of the previous results

• Most of the papers in this area contain just the
  feasibility results.
• Can they be optimized?

25
Objective 4 Theoretical foundations

• Cryptography has well-known connections to the
  complexity theory.
• Cryptography on Non-Trusted Machines provides
  new connections of these type.
• Bounded-Retrieval Model has non-trivial
  connections to
• the theory of compressibility of NP-instances
  Dziembowski, CRYPTO 2006, and
• the theory of round complexity Dziembowski and
  Pietrzak, FOCS 2007.
• Can these be extended?

26
Conclusion

• Cryptography on Non-Trusted Machines - a new
  area with a big potential.
• Dziembowski and Pietrzak Intrusion-Resilient
  Secret Sharing.FOCS 2007
• DziembowskiOn Forward-Secure Storage.CRYPTO
  2006
• DziembowskiIntrusion-Resilience Via the
  Bounded-Storage Model.TCC 2006